In those types of reviews/audits, documentation is the first indicator of whether a security organization has their act together. It's about building a trust relationship between the accreditor and contractor that will have to endure for years, as nation-state level actors throw their resources at finding vulnerabilities. MS couldn't do this or couldn't be bothered to do this. So shit documentation -> shit security processes and operations -> shit security -> shit cloud product in a government context. So the title wasn't that much of a stretch.
They still lied, because they didn't say "X is shit" but "Z said that X is shit", however Z apparently never said that.
I have become very cautious of such stories for this very reason. Who gets how much blame has a lot to do with "culture" or momentum. Bashing Microsoft for example is always super fine, but at multiple occasions I found the facts to be much more nuanced.
It's true, they lied. But, paradoxically, in this case, while they lied about details, the conclusion is still true: Azure is very far from AWS and GCP as far as security is concerned. I have my own suspicions why it is so, but the reasons are not important, what counts is the final conclusion: if you really care for security, you'd better chose one of the other two.